In February 2025, I wrote a blog 7 reasons why 2025 could be the year of the non-human-identity (NHI). As we move into this new year, it’s time to ask, ‘did 2025 live up to that prediction?’
I've been thinking and I’ve concluded that while NHI was certainly a hot industry buzzword, 2025 was not the year of the non-human identity. I’m taking a devil’s advocate stance to explain why.
To maintain consistency with part one, I'll attempt to justify this position with 7 reasons.
Author:
Paul Dawson
Chief Services Officer at CyberIAM
1. The Breach Story Was Third-Party Risk
The first blog piece spoke to the fact that NHIs have been at the core of a large number of breaches. Whilst that undoubtedly remains the case, 2025 became the year of supply chain and third-party breaches. Although often ultimately there may well have been an NHI credential involved in the attack, the starting point was the third-party element (see especially the well-publicised retail outages).
As such, I feel that CISOs in the second half of the year probably had a greater focus on vendor risk management more than machine identity governance. I expect that our partners, SailPoint , would attest to that with the interest in their excellent Non-Employee Risk Management product.
2. AI Took Over the Narrative
Instead of NHI being the headline, AI dominated every conversation. NHI was often mentioned as a subset of AI risk, but not as a standalone priority.
Last February, I made the point that AI agents will see an explosion in the number of NHIs. I stand by that of course, but the pace at which AI has grown, and the number of product releases from the identity security software vendors has meant that addressing the risk of AI itself has become the story, rather than the NHIs associated with the agents.
3. The Basics Still Aren’t Done
Something that I may have underestimated earlier in the year is the reality that many organisations are still struggling with human identity fundamentals; MFA gaps, privileged access hygiene, governance over regulated access, JML automation, etc., leaving little bandwidth for NHI maturity. At CyberIAM, we continue to assist with greenfield IGA implementations , and although I had a very good conversation recently on how improving machine identity security can be considered as low hanging fruit, the initial focus for these organisations is certainly on the human workforce element in the first instance.
4. What is an NHI and what controls are needed?
Is it NHI, machine identity, service account, or silicon identity? Vendors and analysts have debated which is the most appropriate terminology throughout 2025. It would be very unfair to suggest that nomenclature wars distracted progress, but it is the case that different types of NHI require different types of controls, and this does confuse the market.
For example, the CyberArk offering around managing certificate expiry is very different to the Veza visibility/remediation functionality, which is different again to SailPoint 's service account ownership piece. I would be wary of any vendor claiming to solve the NHI challenge with a single offering.
5. Platformisation versus new tech
The major identity security vendors continue to speak to their full platform capabilities, whilst niche new players claim to solve 'just' the NHI element. The Palo Alto purchase of CyberArk brought identity security (and hence NHIs) to the forefront of cybersecurity in CISO's minds in 2025, but it has led to discussions as to whether current tooling can address the needs (perhaps with new functionality which continues to arrive at pace) or whether specific NHI solutions from smaller, specialised vendors are required. It is confusing for specialists, never mind non-specialists, and hence surely slows down decision making on making plans to address the NHI challenge within organisations.
6. Still a hidden problem? Visibility will come
For many organisations, the scale of the NHI challenge is often mostly hidden. Gartner introduced the term "Identity Visibility and Intelligence Platforms" this year, and the tooling available to uncover/discover NHIs across an IT estate and give visibility of them are being implemented and becoming mainstream. As identity tooling begins to show the numbers and specifics of the risk, I expect we will begin to see more focus on NHIs.
7. 6…7, 6…7
Whether 2025 was the year of the NHI is debateable, but as a father of teenagers it has certainly been the year of 6…7
So, for this final item, let me make the counter argument…
NHI has been everywhere in 2025! The initial driver for me writing the February blog was content from the NHI community - undoubtedly this has been massive this year, with Lalit and team having specific areas and sessions at many of the global IAM conferences. To say that it isn't being talked about would be silly and wrong. Specialist NHI vendors are making waves, and the big vendors are talking about NHIs and introducing features.
To close, while NHI may not have 'owned' 2025, the groundwork is being laid. With visibility tools maturing and identity becoming central to security platforms, 2026 might be the year NHIs move from noisy buzzword to CISO priority.
Get in touch
If you would like more information about CyberIAM’s Services offering, contact us here and a member of our specialised team will be in touch as soon as possible
Current State Assessment guide
Access our comprehensive current state assessment guide to discover how we initiate our end-to-end analysis, setting the foundation for providing you with the best possible advice.
